search

Yubico / pam-u2f

Pluggable Authentication Module (PAM) for U2F and FIDO2
https://developers.yubico.com/pam-u2f/
BSD 2-Clause "Simplified" License
539 stars 78 forks source link

pamu2fcfg: Trezor Model T fails to register #176

Closed digital-mystik closed 3 years ago

digital-mystik commented 3 years ago

When attempting to register a Trezor Model T, a prompt on the device will appear with either a confirm or deny option, but will subsequently fail with error: fido_cred_verify (-7) FIDO_ERR_INVALID_ARGUMENT after a selection is made.

Browser U2F functionality works as expected with being able to login to respective accounts.

Arch Linux kernel: 5.11.16 (also tested on 5.10.32 LTS with same issue) pam-u2f: 1.10 libfido2: 1.7.0 trezor firmware: 2.3.6

Apologies if this belongs in the libfido2 repo instead.

debug output

Before prompt selection on device:

fido_hid_unix_open: open /dev/hidraw3: Permission denied
fido_tx: dev=0x55b2120f6f10, cmd=0x06
fido_tx: buf=0x55b2120f6f10, len=8
0000: 8a e9 b8 36 f1 12 16 e5
fido_rx: dev=0x55b2120f6f10, cmd=0x06, ms=-1
rx_preamble: buf=0x7ffd2a753840, len=64
0000: ff ff ff ff 86 00 11 8a e9 b8 36 f1 12 16 e5 c3
0016: 8f 3f 14 02 02 00 00 04 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
rx: payload_len=17
fido_rx: buf=0x55b2120f6f18, len=17
0000: 8a e9 b8 36 f1 12 16 e5 c3 8f 3f 14 02 02 00 00
0016: 04
fido_dev_get_cbor_info_tx: dev=0x55b2120f6f10
fido_tx: dev=0x55b2120f6f10, cmd=0x10
fido_tx: buf=0x7ffd2a7538a7, len=1
0000: 04
fido_dev_get_cbor_info_rx: dev=0x55b2120f6f10, ci=0x55b212104e30, ms=-1
fido_rx: dev=0x55b2120f6f10, cmd=0x10, ms=-1
rx_preamble: buf=0x7ffd2a753000, len=64
0000: c3 8f 3f 14 90 00 4b 00 a7 01 82 66 55 32 46 5f
0016: 56 32 68 46 49 44 4f 5f 32 5f 30 02 81 6b 68 6d
0032: 61 63 2d 73 65 63 72 65 74 03 50 d6 d0 bd c3 62
0048: ee c4 db de 8d 7a 65 6e 4a 44 87 04 a3 62 72 6b
rx: payload_len=75
rx: buf=0x7ffd2a753000, len=64
0000: c3 8f 3f 14 00 f5 62 75 70 f5 62 75 76 f5 06 81
0016: 01 07 0a 08 19 04 00 00 00 00 00 00 00 00 00 00
0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
fido_rx: buf=0x7ffd2a753090, len=75
0000: 00 a7 01 82 66 55 32 46 5f 56 32 68 46 49 44 4f
0016: 5f 32 5f 30 02 81 6b 68 6d 61 63 2d 73 65 63 72
0032: 65 74 03 50 d6 d0 bd c3 62 ee c4 db de 8d 7a 65
0048: 6e 4a 44 87 04 a3 62 72 6b f5 62 75 70 f5 62 75
0064: 76 f5 06 81 01 07 0a 08 19 04 00
fido_dev_open_rx: FIDO_MAXMSG=2048, maxmsgsiz=0
fido_tx: dev=0x55b2120f6f10, cmd=0x10
fido_tx: buf=0x55b212107c80, len=155
0000: 01 a4 01 58 20 96 e8 f7 ce 46 f0 a9 cc a0 45 70
0016: fb ef d8 5d 8c 33 15 40 50 f2 96 ee 98 09 c1 12
0032: 86 cd 0a e3 0d 02 a2 62 69 64 69 70 61 6d 3a 2f
0048: 2f 68 75 62 64 6e 61 6d 65 69 70 61 6d 3a 2f 2f
0064: 68 75 62 03 a3 62 69 64 58 20 7d 8f 80 68 b8 2e
0080: fd da ed dd d1 06 79 db 5b b5 60 0d 4a 62 0e 20
0096: 62 13 a7 8e 79 34 0f 9e a7 6e 64 6e 61 6d 65 63
0112: 6d 61 62 6b 64 69 73 70 6c 61 79 4e 61 6d 65 63
0128: 6d 61 62 04 81 a2 63 61 6c 67 26 64 74 79 70 65
0144: 6a 70 75 62 6c 69 63 2d 6b 65 79
fido_rx: dev=0x55b2120f6f10, cmd=0x10, ms=-1

After prompt selection on device:

rx_preamble: buf=0x7ffd2a753050, len=64
0000: c3 8f 3f 14 90 01 4e 00 a3 01 66 70 61 63 6b 65
0016: 64 02 58 ed b2 1d 7d 6b e8 86 21 57 b3 62 47 26
0032: 72 40 85 c4 cb 8b e8 0c 6e 8d 6e 02 f3 6c 96 3a
0048: 34 75 0d c9 41 00 00 00 1f d6 d0 bd c3 62 ee c4
rx: payload_len=334
rx: buf=0x7ffd2a753050, len=64
0000: c3 8f 3f 14 00 db de 8d 7a 65 6e 4a 44 87 00 69
0016: f1 d0 02 00 dc c4 b3 a9 3c fa da fc 58 6b fb 70
0032: d4 d4 30 ad bd 22 81 d7 49 a0 cc 42 55 cf 6c 0d
0048: ef 94 8b 78 12 65 ab b9 f9 db ce 2f 87 68 c3 57
rx: buf=0x7ffd2a753050, len=64
0000: c3 8f 3f 14 01 05 48 0b 1b 09 0d ec 89 65 e7 c5
0016: 9d b9 e6 01 e5 65 bd 23 a5 8b 56 72 3c 30 2a a9
0032: 1f 89 7a d7 0a 55 d8 6e 61 4c 55 f0 90 99 8c a9
0048: 06 4b f3 59 06 05 73 a8 69 90 3e fa 97 2e a5 01
rx: buf=0x7ffd2a753050, len=64
0000: c3 8f 3f 14 02 02 03 26 20 01 21 58 20 1a 30 1f
0016: f2 f4 68 c0 4c 27 48 f2 24 f7 f3 02 36 04 78 1c
0032: d9 72 83 e4 d2 75 8f bf 7e cc fa f3 c1 22 58 20
0048: 70 7d c8 22 96 32 2f b4 e6 8d 81 a2 d4 d3 b7 df
rx: buf=0x7ffd2a753050, len=64
0000: c3 8f 3f 14 03 2d e1 0e 97 09 96 32 1b 5e ad c5
0016: ca 6d a1 c3 a7 03 a2 63 61 6c 67 26 63 73 69 67
0032: 58 47 30 45 02 21 00 9d b9 00 6f 4d 16 b2 36 e2
0048: 0e 9b cc 0a 63 17 1f 99 1d 61 ad de b4 00 20 7c
rx: buf=0x7ffd2a753050, len=64
0000: c3 8f 3f 14 04 33 ab c0 a2 28 86 c5 02 20 32 ae
0016: b7 a5 7c af 8b f4 ab 24 52 db c9 dc b2 f7 c9 9b
0032: 1e 30 73 4d 30 7d f0 40 30 f5 0f 7f bb 70 00 00
0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
fido_rx: buf=0x7ffd2a7530e0, len=334
0000: 00 a3 01 66 70 61 63 6b 65 64 02 58 ed b2 1d 7d
0016: 6b e8 86 21 57 b3 62 47 26 72 40 85 c4 cb 8b e8
0032: 0c 6e 8d 6e 02 f3 6c 96 3a 34 75 0d c9 41 00 00
0048: 00 1f d6 d0 bd c3 62 ee c4 db de 8d 7a 65 6e 4a
0064: 44 87 00 69 f1 d0 02 00 dc c4 b3 a9 3c fa da fc
0080: 58 6b fb 70 d4 d4 30 ad bd 22 81 d7 49 a0 cc 42
0096: 55 cf 6c 0d ef 94 8b 78 12 65 ab b9 f9 db ce 2f
0112: 87 68 c3 57 05 48 0b 1b 09 0d ec 89 65 e7 c5 9d
0128: b9 e6 01 e5 65 bd 23 a5 8b 56 72 3c 30 2a a9 1f
0144: 89 7a d7 0a 55 d8 6e 61 4c 55 f0 90 99 8c a9 06
0160: 4b f3 59 06 05 73 a8 69 90 3e fa 97 2e a5 01 02
0176: 03 26 20 01 21 58 20 1a 30 1f f2 f4 68 c0 4c 27
0192: 48 f2 24 f7 f3 02 36 04 78 1c d9 72 83 e4 d2 75
0208: 8f bf 7e cc fa f3 c1 22 58 20 70 7d c8 22 96 32
0224: 2f b4 e6 8d 81 a2 d4 d3 b7 df 2d e1 0e 97 09 96
0240: 32 1b 5e ad c5 ca 6d a1 c3 a7 03 a2 63 61 6c 67
0256: 26 63 73 69 67 58 47 30 45 02 21 00 9d b9 00 6f
0272: 4d 16 b2 36 e2 0e 9b cc 0a 63 17 1f 99 1d 61 ad
0288: de b4 00 20 7c 33 ab c0 a2 28 86 c5 02 20 32 ae
0304: b7 a5 7c af 8b f4 ab 24 52 db c9 dc b2 f7 c9 9b
0320: 1e 30 73 4d 30 7d f0 40 30 f5 0f 7f bb 70
cbor_decode_cred_authdata: buf=0x55b2120f5860, len=237
0000: b2 1d 7d 6b e8 86 21 57 b3 62 47 26 72 40 85 c4
0016: cb 8b e8 0c 6e 8d 6e 02 f3 6c 96 3a 34 75 0d c9
0032: 41 00 00 00 1f d6 d0 bd c3 62 ee c4 db de 8d 7a
0048: 65 6e 4a 44 87 00 69 f1 d0 02 00 dc c4 b3 a9 3c
0064: fa da fc 58 6b fb 70 d4 d4 30 ad bd 22 81 d7 49
0080: a0 cc 42 55 cf 6c 0d ef 94 8b 78 12 65 ab b9 f9
0096: db ce 2f 87 68 c3 57 05 48 0b 1b 09 0d ec 89 65
0112: e7 c5 9d b9 e6 01 e5 65 bd 23 a5 8b 56 72 3c 30
0128: 2a a9 1f 89 7a d7 0a 55 d8 6e 61 4c 55 f0 90 99
0144: 8c a9 06 4b f3 59 06 05 73 a8 69 90 3e fa 97 2e
0160: a5 01 02 03 26 20 01 21 58 20 1a 30 1f f2 f4 68
0176: c0 4c 27 48 f2 24 f7 f3 02 36 04 78 1c d9 72 83
0192: e4 d2 75 8f bf 7e cc fa f3 c1 22 58 20 70 7d c8
0208: 22 96 32 2f b4 e6 8d 81 a2 d4 d3 b7 df 2d e1 0e
0224: 97 09 96 32 1b 5e ad c5 ca 6d a1 c3 a7
decode_attcred: buf=0x55b2120f5885, len=200
0000: d6 d0 bd c3 62 ee c4 db de 8d 7a 65 6e 4a 44 87
0016: 00 69 f1 d0 02 00 dc c4 b3 a9 3c fa da fc 58 6b
0032: fb 70 d4 d4 30 ad bd 22 81 d7 49 a0 cc 42 55 cf
0048: 6c 0d ef 94 8b 78 12 65 ab b9 f9 db ce 2f 87 68
0064: c3 57 05 48 0b 1b 09 0d ec 89 65 e7 c5 9d b9 e6
0080: 01 e5 65 bd 23 a5 8b 56 72 3c 30 2a a9 1f 89 7a
0096: d7 0a 55 d8 6e 61 4c 55 f0 90 99 8c a9 06 4b f3
0112: 59 06 05 73 a8 69 90 3e fa 97 2e a5 01 02 03 26
0128: 20 01 21 58 20 1a 30 1f f2 f4 68 c0 4c 27 48 f2
0144: 24 f7 f3 02 36 04 78 1c d9 72 83 e4 d2 75 8f bf
0160: 7e cc fa f3 c1 22 58 20 70 7d c8 22 96 32 2f b4
0176: e6 8d 81 a2 d4 d3 b7 df 2d e1 0e 97 09 96 32 1b
0192: 5e ad c5 ca 6d a1 c3 a7
decode_attcred: attcred->id.len=105
fido_cred_verify: cdh=0x55b2120f3520, authdata=0x55b2120f6610, x5c=(nil), sig=0x55b212106d30, fmt=0x55b212107aa0 id=0x55b2120f4a50, rp.id=pam://asdf
error: fido_cred_verify (-7) FIDO_ERR_INVALID_ARGUMENT
LDVG commented 3 years ago

Hi,

Thanks for the report! This particular problem was fixed in #168, but has not yet made it into a release.

prusnak commented 3 years ago

@LDVG Any plans to cut a release soon?

ghost commented 3 years ago

me too, would love to see a release - cant do PAM login or sudo without it, one of the selling points of Trezor!

digital-mystik commented 3 years ago

@uoccou building using git works for me in the mean time; the PR was merged

ghost commented 3 years ago

thanks, I'll give it a whirl

LDVG commented 3 years ago

@prusnak, @uoccou, @digital-mystik: sorry for the delay, we have released v1.1.1 today.

prusnak commented 3 years ago

@prusnak, @uoccou, @digital-mystik: sorry for the delay, we have released v1.1.1 today.

Thanks!

ghost commented 3 years ago

Super

On May 19, 2021 2:32:36 PM UTC, Ludvig Michaelsson @.> wrote: @., @uoccou, @digital-mystik: sorry for the delay, we have

released v1.1.1 today.

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/Yubico/pam-u2f/issues/176#issuecomment-844163438